World Economic Forum: Toward the Quantification of Cyber Risks

Save Article

By modeling their exposure to various cyber risks and quantifying the impact of them, organizations can invest more effectively in projects and programs aimed at addressing persistent, pernicious cyber threats.

Imagine it’s 2020. How will our world look? If the current global environment is any indication, economic, geopolitical, and cyber threats will continue, with increasingly sophisticated cyber attacks an ongoing fact of life. Possibly, through some combination of new technologies and new governance, we will see a significant shift in cyber advantage. In the meantime, however, we live in an environment where it’s neither technically possible nor financially practical for businesses to be 100 percent secure. So what can we, as individuals and businesses, do to protect against this very real and rising threat?

To answer that question, Deloitte and more than 100 representatives from industry-leading companies, technology vendors, regulators, and the public sector suggested a concept known as cyber value-at-risk at this year’s World Economic Forum (WEF) in Davos, Switzerland, to advance the goal of developing a shared approach to cyber risk quantification. Their work is part of the WEF’s broader “Partnering for Cyber Resilience” initiative, begun in 2011 with the goal of raising awareness of cyber risk and developing more rigorous approaches to mitigating it. This year the initiative focused on ways to model, measure, and quantify the impact of cyber risks and organizations’ exposure to them. Participants summed up their work and unveiled the cyber value-at-risk model in the report, “Towards the Quantification of Cyber Threats.”

The cyber value-at-risk model offers many benefits. Perhaps most important, it can help organizations predict their financial loss thresholds (e.g., we should lose no more than X over Y time period) for various types of cyber attacks. Additionally, by quantifying the impact of various cyber risks and an organization’s exposure to them, the model serves to help organizations shape their cyber programs and prioritize related investments based on risk.

To apply the model, organizations should understand both the drivers of cyber risk (e.g., their vulnerability to attack, the value of their critical assets, and the profile or sophistication of potential attackers) and the dependencies among them. Cyber value-at-risk can be tailored to different organizations and industries.

Quantifying risks using a model like cyber value-at-risk is an important component of cyber risk management programs, and one that supports what Deloitte calls a Secure.Vigilant.Resilient.™ posture. To address growing threats, organizations should continually assess the value of their most important assets, their shifting risk profile, and determine what levels and types of cyber risk they deem acceptable. They can then invest accordingly in cost-justified controls (secure) while focusing equal—or, in some cases, greater—effort on gaining more insight into threats (vigilant) and responding more effectively to reduce their impact (resilient). A legacy approach, focused on traditional IT compliance-and-controls efforts, no longer provides an acceptable level of protection for most organizations.

An effective cyber risk program starts with an organization understanding the specific risks it faces: Who might want to attack and why? What vehicles or vulnerabilities could attackers leverage? Answering those questions will help guide investments in preventive security controls. If, through their vigilance, organizations can detect the early stages of a cyber attack, those threats can be more effectively isolated and mitigated. And if, through better preparedness, organizations are equipped to respond with optimal effectiveness, the various forms of damage can be minimized. The appropriate balance between these three elements will vary from organization to organization, and even across different parts of a single organization. In any case, managing cyber risk is not a necessary evil, but an activity that can help organizations maintain shareholder value and facilitate peak performance.

In the coming weeks, Deloitte Insights for CIO Journal will report in greater depth on cyber value-at-risk. Until then, feel free share your thoughts on cyber risk issues with me via Twitter (@Deloitte or @jacquesbuith) using the hashtag #impactThatMatters.

World Economic Forum: Toward the Quantification of Cyber Risks

Related Deloitte Insights

CIOs and their C-suite counterparts can bounce back from and even thrive in the face of crises. Among the strategies leaders can undertake to demonstrate resiliency under duress are doubling down on disruption and protecting and growing the brand’s value before crises occur.

For government organizations, the sheer scale of many IT projects can make the benefits of Agile development methods seem out of reach. Five strategies can help mitigate the associated risks while making the most of the rewards.

When cloud adoption is inadequately controlled, organizations can suffer on numerous fronts. By taking a holistic approach, integrated multicloud management can restore the visibility and governance companies need to get the most out of diverse cloud services.

Editors Choice

Many insurers use advanced analytics to gain deeper insights into the underwriting and pricing of risks, but traditional methods are often too slow to meet the volume, speed, and unstructured nature of data captured today. Emerging cognitive and robotic technologies can help insurers keep pace with ever-expanding information flow.

After a relatively subdued 2017, M&A deals are expected to increase in 2018, with acquisition of technology assets the No. 1 strategic driver, according to a Deloitte survey. Technology’s importance in the M&A process appears to continue to rise as it moves deal-making out of the spreadsheet era, dramatically changing M&A in the process.

Some training scenarios for retail employees cannot be easily created on the sales floor, so Walmart sought new ways to replicate those experiences. Virtual reality offered the company an unexpected opportunity to coach workers through situations ranging from responding to a floor spill to managing the holiday rush.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more